The anti-f-droid take is uninformed

Writing in response to the guide Android> Obtaining Applications guide, which says,

We only recommend F-Droid as a way to obtain apps which cannot be obtained via the means above. F-Droid is often recommended as an alternative to Google Play, particularly within the privacy community. […] However, there are some security-related downsides to how F-Droid builds, signs, and delivers packages…

F-Droid is by no means perfect, but the reality is that only with a third party can you ensure that builds are secure and protect your information and privacy. There is no magic GitHub action that does this. You can either trust F-droid, or you can trust 10,000 individual developers none of which provide insights into the package, or test it for things you value – like privacy.

It’s trendy to dis F-droid, but you’re talking about people in the business of stamping things as secure, and which have a universal open source and automated process they provide for every app developer. In all but the most extreme cases, it’s a value add. You can’t trust your average developer to be as rigorous as the F-Droid community and their build system – they’re not.

And some of it just incorrect, for example:

Additionally, the requirements for an app to be included in the official F-Droid repo are less strict than other app stores like Google Play, meaning that F-Droid tends to host a lot more apps which are older, unmaintained, or otherwise no longer meet modern security standards.

Just straight up incorrect. The vast vast majority of apps on the Play Store (99%?) would not be allowed in F-Droid. F-Droid is far more conservative. It requires FLOSS software, many of the Google APKs even if they ship everywhere are blacklisted, and all projects must provide a publicly available source repo to pull from.

Here are a few cases where I’ve seen it matter. (I can’t post more than two links in my initial post). I’m a new user here.

OSMAnd+ was for a long time delisted on F-Droid. Why? Because it sends telemetry to their own server. This is patched. But only for the F-Droid version. Get it on the PlayStore or from the developers directly, you have telemetry. Osmand - sends telemetry to index server even if telemetry is disabled (#2747) · Issues · F-Droid / Data · GitLab

Flipper Zero Android: Same story. The official Flipper Zero application provides click tracking and telemetry. The nature of the flipper inclines me to be highly concerned about that – this can actually get users arrested. Remove Countly tracker library. · Issue #593 · flipperdevices/Flipper-Android-App · GitHub

StreetComplete: In this case the author didn’t even know he wasn’t using free software. In fact, GOOGLE WAS RELEASING IT WITH A MISLEADING HEADER AND THEY DIDN’T KNOW. This was a binary blob and there was no source code for it. Google only “open-sourced” the headers (as if they didn’t know the difference) non-free dependency: Google AR Core · Issue #4289 · streetcomplete/StreetComplete · GitHub The author assumed the binary blobs were open sourced and had community oversight… until F-droid informed him otherwise because of their build systems.

You still have to trust the developers of your apps, but now you’re just adding another party to trust, which is F-Droid.

F-Droid doesn’t audit the code that they build, they just use some fairly simple automated scanning, etc.

Telemetry is allowed on F-Droid, but if you do have telemetry in your app, then your app will be marked with an Anti-Feature.

No, I don’t have to trust the developers. There is a system in place that checks for external IO during build, that checks for blacklisted modules, that builds without binary APKs etc. It’s a checks-and-balance system. You can call it “fairly simple automated scanning” but it’s not that simple. I’ve given you clear examples that aren’t hypothetical of it being a value add in the domain you’re most concerned about: privacy. And it still is: most of OSMAnd+ and Flipper still ship the versions with trackers on the Play Store on Github.

Telemetry is allowed on F-Droid, but if you do have telemetry in your app, then your app will be marked with an Anti-Feature.

So long as the telemetry library is an SDK and not a blob (as it is in the case of Google SDKs), yes. Sure. You can ship with a notification. And that’s the ideal right – inform your users, something you can’t get with Play Store or on GitHub.

These automated scans rely on badness enumeration, you can read about it here: Badness Enumeration | PrivSec - A practical approach to Privacy and Security

I believe obtainium is kinda the best way to obtain apk’s rn if you trust the devs.

F-droid can just be used to read its report because of that inclusion policy.

https://bowtiedanon.com/android/

The best way to obtain apps for most people is by using the sandboxed Google Play Store.

… and if you really want to install your applications sourcing from F-Droid, Obtainium gives you this option.

I wonder if some day we will see more apps available in Accrescent.

And you will be pretty much DDoSing f-droid.org. Because Obtainium doesn’t have proper support for mirrors.

Yes, when Accrescent releases a stable version.

It’s not true that it just relies on badness enumeration.

• The list of external sources that you can pull from during build for example, is white listed… fdroidserver/scanner.py · master · F-Droid / fdroidserver · GitLab
• There are checks for example that ensure you’re not stuffing Zip files with improper extensions into your APK, fdroidserver/scanner.py · master · F-Droid / fdroidserver · GitLab The extensions that are acceptable for the zip mimetype, are whitelisted: .zip.

No one is arguing that F-Droid is perfect, but as a matter of fact it is more restrictive and provides an additional checks over just downloading an APK from GitHub release which could just be malware.

And I would be interested in seeing what ideas you have for the F-droid scanner that they’re rejecting. I’m showing actual examples where they make things more secure for users and protect their privacy. Your response isn’t a refutation, it’s a theoretical point that blacklisting isn’t good enough (which is true, it’s not all they’re doing), and it’s also silly because the alternative you’re accepting and that privacyguides is pushing is nothing, just blind trust for the author. Show me a PR where you have an idea for an improvement and a patch that’s rejected. I doubt you’ll find any of these tests no matter how basic in a CI on GitHub.

Didn’t know this, learned something new. Thanks

I would say that these are good points for apps on F-Droid which are actively developed. One of the biggest problems with F-Droid (IMHO) is the amount of abandonware. I can search for a fairly common thing like “GitHub” and the first result is an app which has received no updates since 2014, just as one of many possible examples.

Click the button on the top-right it should show a clock if you want to order by date. The first relevant result then is Octodroid, albeit there are lots of irrelevant results. OctoDroid was last updated 2 months ago.

But I’m not here to defend the UI. I’m just saying the information, including the last-updated date, is presented to you. And there are REAL CONCRETE benefits to your privacy to use F-Droid. I provided not 1, but 3 real world cases that directly impacted me. I’m not a maintainer. I don’t publish packages on F-Droid. I’m just a user. And this guide seems both wrong in spirit, and factually wrong in the words too “less strict” in the context of privacy, means the apps are more likely to reveal your information.

Of course, probably 99% of the apps people download from the Play Store have trackers. I don’t think anyone in this conversation can show you one application with a tracker library and no notification on F-Droid now. And, many of the applications without trackers are ONLY available on F-droid (and not on GitHub).

The biggest problem is that apps can fall behind on updates for weeks, which is why I stopped using F-Droid after advocating for it for quite some time.

One example: LibreTube on F-Droid is 0.14.0 and on GitHub it’s 0.15.1.

Which is a poor choice by the developers. Molly does it right and provides both Molly and Molly-FOSS on GitHub.

You can find both Aves Gallery and Aves Gallery Libre on GitHub and Accrescent.

It’s not really a question of UI, I’m just saying that Google Play is indeed stricter than F-Droid in some respects. In other respects, the reverse is true as you’ve mentioned.

It is a legitimate problem for these ancient apps to be available and prominently advertised, the minimum SDK targets exist for a reason.

They fall behind on updates sometimes, sure. That’s very frequently because of failures to build because of the violations we are mentioning here. (Like for example, in the case of Street Maps, mine was like 3 months out of date. But that’s because the author incorporated that Google ARCore SDK which was closed source. I’m glad they didn’t roll that out to me. It probably would not have worked anyway: I use LineageOS wo/ GApps).

But sure, even in ideal conditions sometimes their builds break. It’s certainly more often then I’d like too, I just accept that forcing users to build outside of their ideal environment is something that’s required to ensure apps meet a higher standard of privacy, and that should be the value here too on a site called Privacy Guide. The priority shouldn’t be fast-deployments. Forcing the build in a constrained environment is more work, and more room for failure.

It’s not just because of violations.

Your MR has just been merged, but the APK did not show up immediately? That’s normal: the APK must first be built on the build server (happens automatically when the next build cycle starts), then signed (manual step), then a new index must be created and deployed.

• a build cycle currently can take up to 72h (hard limit)
• apps are manually signed after that (if not reproducible), and then uploaded
• next build cycle starts after signing is completed

So if you’re lucky, it takes 3 days (new build cycle just started minutes after the merge). If you’re not-that-lucky (merge happened a minute after a build cycle started), it will take 6 days. If you’re very unlucky, Murphy visits in between with some problems… So don’t panic before 7 days have passed, please.

Please also note that the website is updated asynchronously – so while the index might already have reached your local client, website might still be a bit behind.